When you think of network-management tools, products such as HP's OpenView or IBM's NetView usually come to mind. These products monitor and maintain configuration information for network devices such as hubs, switches, and routers. Network-management tools usually rely on Simple Network Management Protocol (SNMP) agents, running on these managed devices to provide information to the management console or server. However, few of these tools provide visibility above the Open Systems Interconnection (OSI) network layer of services; instead, they must rely on the individual vendors of those services to provide for management. Windows NT 5.0 steps in to fill this network-management role.
NT 5.0 provides many enhanced and new network services to support and improve the functionality of your Microsoft and non-Microsoft distributed infrastructure. Enhanced services include Dynamic Host Configuration Protocol (DHCP), Windows Internet Naming Service (WINS), and Domain Name System (DNS). New to NT 5.0 are the IP Security (IPSec) standards for authentication, integrity, and encryption of network-layer traffic, and Quality of Service (QoS) support within the network stack and Active Directory (AD). You can think of network-management capabilities in NT 5.0 as network services management rather than as traditional network management. The primary difference between traditional network management and the network services management in NT 5.0 is that NT 5.0's network services tools don't provide the robust enterprise-level monitoring, alerting, and reporting of network devices that a true network-management tool does. However, NT 5.0's tools provide a primary interface for configuration, management, and some monitoring of the network services NT 5.0 provides. In this article, I'll guide you through some of the new and enhanced network services in NT 5.0, and I'll give you a glimpse of the tools you'll use to manage those services.
What's New for Network Management in NT 5.0
Microsoft built many new and advanced networking features into NT 5.0 Server and Workstation. Two of these features are QoS support and the IPSec protocol. (To learn more about QoS, see Tao Zhou, "Build a Better Network with QoS," page 127. To learn more about IPSec, see Tao Zhou, "Internet Protocol Security in NT 5.0," August 1998.)
QoS. QoS is a way of guaranteeing available bandwidth on a per-connection basis and is most frequently associated with multimedia applications or applications that require predictable near- realtime delivery. QoS encompasses a set of industry-standard protocols and requires the participation of your NT 5.0 server and intermediate network devices such as switches or routers. NT 5.0's Admission Control Service (ACS) is Microsoft's part of the QoS equation. The ACS resides on an NT 5.0 server but must be available on each subnet for which you want to provide QoS. If you have five subnets, you'll need either one ACS server for each subnet or one ACS server with five NICs—one NIC to connect to each subnet. But, as I mentioned, the ACS server is only part of the equation. To fully implement QoS, you also need applications that can request a minimum amount of bandwidth. If your network uses routers and switches, those devices must be able to allocate the necessary bandwidth or prioritize traffic within their queues for a given request. Your network devices must also support the Resource Reservation Protocol (RSVP)—an Internet Engineering Task Force (IETF) standard for maintaining a QoS path through your network from a client to a server. You can think of RSVP as its name implies—a reservation for bandwidth at each network device between client and server. The ACS server is the first stop in this reservation process. A server application that requires guaranteed bandwidth contacts the ACS server and communicates its needs. The ACS server sends the bandwidth request through the network to client applications that want to communicate with the server. A client sends its reservation to the server, and communication begins.
ACS offers the ability to differentiate bandwidth allocation based on a specific user, whether you define the criteria for allocation within AD or for outside parties requiring use of your network. Using the ACS management snap-in for the Microsoft Management Console (MMC), you can define bandwidth requirements for the subnet to which your server is connected, and you can define policy for the server based on user accounts, as Screen 1 shows.
IPSec. Support for IPSec is another key network service NT 5.0 provides. IPSec lets you specify authentication and encryption of network communications between a set of defined network devices to ensure privacy. Because IPSec works at the network layer, it doesn't require special modifications to your applications.
To implement IPSec in NT 5.0, you first must define a set of IP security policies. You do so through NT 5.0's IPSec MMC snap-in. These policies define different IPSec profiles you can create to enforce different security requirements. An IPSec policy contains several setting options. The first option is the creation of IP filter lists. These lists let you define groups of machines or subnets and specify which IP protocols and ports will be subject to IPSec. For example, you can create a filter list that specifies the use of IP security between all machines on subnet 192.168.100.0 and all machines on subnet 192.168.101.0 when they are communicating over TCP from any TCP port to TCP port 25 (Simple Mail Transfer Protocol—SMTP—mail). After you create a filter list, you define a negotiation policy. The negotiation policy lets you define how two communicating computers talk to each other. For example, you can specify algorithms that apply varying levels of data integrity and confidentiality. In addition to negotiation policy, you can specify which protocols to use for authentication of the IPSec connection, whether to use an IP tunnel for a given IPSec policy, and what types of connections to apply the policy to (e.g., dial-up or LAN). Screen 2 shows a security policy I set up that requires the use of IPSec for all traffic going to TCP port 25 between two subnets on my network.
After you define an IPSec policy, you can manage it centrally if you install AD within your NT infrastructure. Specifically, the Group Policy feature in AD includes support for security policies. You can include your predefined IPSec policy within a Group Policy Object (GPO) that you create. Because you can apply GPOs at the site, at the Organizational Unit (OU), or at the domain level, you can deliver IPSec policy based on a computer's or user's placement within AD. For example, if you want to apply your IPSec policy to a user in the Engineering OU, you can include that policy in the GPO for the Engineering OU. Doing so guarantees that all traffic to and from that user is subject to your IPSec policy, regardless of the workstation used.
Sites, site links, and subnets. NT 5.0 weaves the concepts of sites and subnets into AD. If you have an Exchange installation, you're already familiar with the site concept. Sites are areas of good network connectivity: for example, any network segment or collection of segments with plenty of available bandwidth, and reliable links. A set of Ethernet segments in a corporate building is a good example of a site boundary. You can conceivably extend a site across WAN links as well, if the links are reliable and of sufficient available bandwidth to accommodate the site requirements. Those requirements depend on the application. For AD sites, you'll probably need approximately 128 kilobits per second (Kbps) of available bandwidth on a link for it to be part of a contiguous site. (For precise figures, you must wait for more real-world NT 5.0 deployments.) Bandwidth is important in NT 5.0 and AD because, just as in Exchange, sites are replication boundaries. That is, within a site, all NT 5.0 domain controllers replicate AD changes on a fixed, frequent internal schedule.
Between sites, you have the flexibility to schedule replication and even choose your preferred network transport for that replication—IP-based or SMTP-based. For example, suppose you have 20 domain controllers within an NT 5.0 AD domain: 10 of the domain controllers are on a LAN at a headquarters office, and the other 10 domain controllers are at remote branch offices, connected via 56Kbps "semireliable" WAN links. You can create one site at each of the 10 remote locations, and one site at a central headquarters. You can then use site links to schedule replication between those sites. Site links are groups of sites that you define to have the same cost and replication schedule. A cost is an arbitrary number you assign to a site link that helps determine the best route to take if multiple replication paths are available between sites. One site can belong to many site links; you might need to include a site in multiple site links to facilitate replication between the site links.
Alternatively, you can define site-link bridges, which let you define connections between site links. A site-link bridge provides alternative and potentially shorter replication paths between site links. For example, you might have many site links within your network, each with overlapping sites for replication. The replication path could therefore be very long, requiring many hops from one end of the replication path to another. Site-link bridges can shorten the number of hops necessary to complete replication.
Where do subnets fit in NT 5.0? You define a subnet object in AD for each logical IP subnet on your network. You then assign subnets to sites to signal to AD that a given subnet belongs to a given site. A site can have multiple subnet objects. For example, you might have many logical subnets in a corporate-office LAN that you can consider to be part of one site. The importance of subnets and their association with sites becomes clear when you consider how clients and servers use site and subnet information. For example, when a workstation logs on to the network, it must locate a domain controller that is in its site. All domain controllers associated with a site are defined in AD. So, once the workstation finds a list of domain controllers within the site, the workstation can use one of those domain controllers to provide authentication services to the domain.
You manage sites and subnets in NT 5.0 with Active Directory Sites and Services Manager, an MMC snap-in. This tool lets you define new sites, create site links and site-link bridges, and view all of your defined sites. You can also use Active Directory Sites and Services Manager to define new subnet objects and associate them with sites. After you've defined sites and subnets, you can use the snap-in to move your domain controllers and other objects between sites.
Network Connections wizard. If you don't like using the Network Control Panel applet to configure network settings on your NT server or workstation, you'll be happy to know that NT 5.0 eliminates the applet in favor of the Network Connections (NC) wizard. You'll still see a Network option in the NT 5.0 Control Panel, but this option is a shortcut to the NC wizard. The NC wizard helps you set up a new network adapter and choose the protocols you want to bind to that adapter. The adapter may be an NIC, a modem line, or even a Virtual Private Network (VPN) tunnel. You also use the NC wizard to set up Remote Access Service (RAS) for dial-in or dial-out.
You use the NC wizard to define named connections to simplify the management of multiple network interfaces on a given server or workstation. From the Network Connections window, which Screen 3 shows, you can enable or disable a connection by right-clicking its icon. You can also review the connection's status and view its statistics. By right-clicking, then selecting Properties from the pop-up menu, you can define protocol configurations (e.g., TCP/IP or IPX) for a given interface.
As is typical for most Microsoft tools, you can move to the Network Connections window from the NT 5.0 interface in at least two ways. From the Control Panel, you can take a shortcut to Network Connections. On the desktop, the new My Network Places icon (which replaces Network Neighborhood) provides access to Network Connections when you right-click the icon and select Properties.
Managing Your Network with the MMC
The key to managing network services in NT 5.0 is the MMC. You can use an MMC snap-in to manage all the networking features I've described. Another MMC snap-in tool, Network Services Management, groups several network services tools within one console. Although MMC snap-ins are the preferred tools for managing and configuring network services in NT 5.0, these snap-ins can't replace more robust network-management tools such as HP's OpenView, Cisco Systems' CiscoWorks, or IBM's NetView. MMC snap-ins are tools specifically geared toward configuration management of NT 5.0 network services, rather than tools for generically monitoring all the network devices in your infrastructure.
Network Services Management Snap-in
The Network Services Management tool provides one console from which you can manage Routing and Remote Access Service (RRAS), telephony options, RAS, and DHCP and WINS. Screen 4 shows the administration window for network services.
Routing and Remote Access. The Routing and Remote Access extension of the Network Services Management tool lets you monitor RAS connections on a given server and manage the routing function NT 5.0 provides. When you use this extension, you can view the current routes the server uses, define new static routes, or add new routing protocols such as Open Shortest Path First (OSPF) or Routing Information Protocol (RIP). You can also enable multicast support on a specific server interface. You use the RAS component of the Routing and Remote Access extension to configure machine-specific RAS settings (e.g., which communication ports to use) and to monitor users dialing into and out of a single machine. The Routing and Remote Access extension augments the Remote Access Policies tool.
Telephony. The Network Services Management tool contains a telephony extension. This extension lets you manage your users, lines, and multiple telephony service providers. Using the extension, you can also configure and manage new telephony providers.
Remote Access Policies. The Remote Access Policies extension lets you set usage policy on a per-machine basis for RAS or VPN services. Using this extension, you can configure options such as the time of day or day of the week when dial-in is permitted, and you can enable RAS on a server. Also, you can create a profile for each RAS policy you define. Creating a profile gives you more fine-grain control of your RAS and VPN users: for instance, which authentication protocol they need to use and how long they can stay connected per session. You can define multiple RAS policies for a given server and the order in which you want them applied. With profiles, you can create targeted policies to keep a tight rein on your RAS users.
WINS and DHCP support. The Network Services Management snap-in enables support for both WINS and DHCP. Many of the features of WINS and DHCP that you are familiar with in NT 4.0 remain in NT 5.0. Although NT 5.0 does not require the NetBIOS-based WINS services, NT 5.0 provides the service to provide backward compatibility with WINS devices. When you've upgraded all of your clients and servers to NT 5.0, you can disable your WINS servers and never have to think about them again. But until that day arrives, NT 5.0 improves on the capabilities available in WINS, giving you such features as the ability to delete individual records from an owner and a more intuitive interface for viewing records that multiple WINS servers own.
DHCP support in the Network Services Management snap-in gives you the ability to define scopes, scope options, and global options. As in NT 4.0, you can view active leases, and delete leases. And in NT 5.0, you can have DHCP automatically update NT 5.0's DNS service—both forward and reverse maps—when a client gets or renews a DHCP lease.
DNS Manager is a separate MMC snap-in tool, which Screen 5 shows. DNS takes on a new role in NT 5.0, becoming the primary name service for NT. With DNS's rise in importance, the tools with which you'll manage DNS in NT 5.0 have increased in functionality and capability. DNS Manager provides much of the management control you would expect to see in a DNS server, including the ability to create new primary and secondary zones, to statically enter resource records, and to configure global options for the DNS service. In addition, NT 5.0 adds some new twists to DNS, including support for dynamic DNS (to learn more about dynamic DNS, see Sean Daily, "10 Steps to Prepare for NT 5.0 Now," February 1998). You'll also find support for hosting your DNS zones files within AD. You no longer need to deal with primary and secondary servers, whereby primaries push changes in zone information to secondaries. Rather, with zone files hosted by AD, DNS zone information replicates via AD's replication schedule to all the domain controllers within your environment.
Most of the Tools You Need
MMC provides a convenient single-interface method to configure and manage network services specific to NT 5.0. Although the tools I've described don't provide some of the features you'll need to manage your entire network infrastructure, I think you'll find them to be quite an improvement over earlier versions. Managing NT networks is slowly but surely getting easier.